Privacy Policy
1. Controller & Contact
| Controller (Art. 4 No 7 GDPR) | Jonathan-Silvester Stone (Einzelunternehmer) |
| Mailing Address | Schonensche Straße 13, 10439 Berlin, Germany |
| jonathan@purpit.ai | |
| Telephone | +49 173 2954198 |
| VAT ID (§ 27a UStG) | DE 815 206 962 |
| Data-Protection Officer | Not required under Art. 37 GDPR |
2. Scope
This policy covers processing of personal data when you:
- Visit https://purpit.ai
- Sign up for early access or join our waitlist
- Use Purpit to capture decisions and track reasoning
- Connect integrations (Slack, Linear, Jira, GitHub)
- Send or receive e-mails
- Book calls or demos via Calendly
Governed by GDPR, German BDSG, California CCPA/CPRA (where applicable).
3. Definitions (Art. 4 GDPR)
Terms like "personal data," "processing," "controller," "processor," etc., have the meanings given in Art. 4 GDPR.
4. Legal Bases (Art. 6 GDPR)
| Purpose | Legal Basis |
|---|---|
| Account creation & OAuth login | Contract performance (Art. 6(1)(b)) |
| Fraud prevention, security logs, essential cookies | Legitimate interest (Art. 6(1)(f)) |
| Invoicing, tax & bookkeeping | Legal obligation (Art. 6(1)(c)) |
| Customer support | Legitimate interest (Art. 6(1)(f)) |
| Marketing e-mails & analytics cookies | Consent (Art. 6(1)(a) / § 25 TTDSG) |
No automated decision-making or profiling producing legal effects is performed.
5. Categories of Data
1. Data you provide
- Account info: name, e-mail, company
- OAuth profiles: Slack/Google ID, e-mail, profile picture
- Decision data: tickets, reasoning, artifacts
- Support transcripts
2. Data collected automatically
- Technical logs: IP, device, browser, referrer, timestamp
- Usage metrics: feature clicks, session length, error logs
3. Third-party data
- Slack: workspace ID, user ID, e-mail, messages (if integration connected)
- Linear/Jira: ticket data, project info (if integration connected)
- GitHub: PR data, commits (if integration connected)
- Google Analytics: anonymized IP, pageviews (opt-in)
6. Purposes of Processing
- Service provision – operate Purpit, capture decisions, detect drift
- Security & fraud defence – monitor log-ins, retain server logs
- Customer support & feedback – support interactions
- Product analytics – improve UX (only with cookie consent)
- Marketing – newsletters & product updates (opt-out anytime)
7. Recipients & Processors (Art. 28)
| Category | Provider | Jurisdiction | Safeguard |
|---|---|---|---|
| Hosting & DB | Supabase | US | DPA + SCCs |
| AI Processing | OpenAI | US | DPA + SCCs |
| Cloud Services | Google Cloud | US / IE | DPA + Privacy Framework |
| Integration | Slack | US | DPA + SCCs |
| Email Delivery | Resend | US | DPA + SCCs |
All processors are bound by written DPAs; sub-processing only with prior authorization. View all DPAs here.
8. International Transfers (Art. 44 ff.)
Primary data sits in the US. Transfers rely on:
- EU–US Data Privacy Framework (Google)
- Standard Contractual Clauses (2021/914 EU) with TLS & AES-256
Copies of SCCs/DPF certifications available on our DPA page or on request: jonathan@purpit.ai
9. Cookies & Tracking (§ 25 TTDSG)
| Type | Name / Provider | Purpose | Storage |
|---|---|---|---|
| Essential | session_id (first-party) | Login, CSRF protection | 7 days |
| Analytics* | _ga (Google) | Site analytics | 14 months |
*Only after you "Accept" on our banner; withdraw consent anytime.
10. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Policy or as required by law.
| Data Set | Retention Period |
|---|---|
| Account data | Life of account + 7 years (HGB § 257) |
| Invoices & records | 10 years (AO § 147) |
| Server logs (technical) | 12 months |
| OAuth tokens | Deleted within 30 days after account deletion |
| Marketing consents | 5 years (BfDI guidance) |
11. Security Measures (Art. 32)
- TLS 1.3 in transit, AES-256 at rest
- Annual penetration tests; critical patches ≤ 30 days
- Role-based access controls
- 72-hour breach notification (Art. 33 GDPR)
12. Your Rights
You may at any time exercise:
- Access, correction, deletion, restriction, portability, objection (Art. 15–21)
- Withdraw consent (future processing only)
- Request export or deletion of your data—subject to legal retention obligations
Requests: jonathan@purpit.ai — we reply within 30 days; ID verification required.
13. California Privacy Notice (CCPA/CPRA)
We do not "sell" or "share" personal info for cross-context behavioral ads.
California residents may request:
- Disclosure of categories & specific data
- Deletion or correction
Via jonathan@purpit.ai. No discriminatory treatment for exercising rights.
14. Supervisory Authority
You have the right to lodge a complaint with:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219, 10969 Berlin, Germany
Website: https://www.datenschutz-berlin.de/
15. Changes
Material changes (new processors or legal bases) announced 30 days in advance via e-mail and banner; consent renewed if required.
16. Contact
Data-protection queries: jonathan@purpit.ai
Postal address: Schonensche Straße 13, 10439 Berlin, Germany
Last Updated: 09 December 2025
← Back to Home